Check for cookie lifetime

LS,

After taking over maintainership of this module (see: #507278: Request to take over ownership of Security) I'm cleaning up the issue queue.

I postponed it this issue because I would like to know if it still is one.

If no issue in about 2 weeks, I'm going to close it.

Best,
VinceW

-=[ Your Information Matters ]=-

Please excuse me if this is not appropriate to the discussion but it seems to be related to two other issues that seem somewhat inter-related.

There is a long discussion including a core-hack
http://drupal.org/node/197786#comment-1055633

From the testing I have been able to do this seems to fix both the intermittent problem that on logout the display still appears as if a user is not logged out but clicking on new authenticated content gives an access denied; and the problem of being able to see pages previously viewed by authenticated users by using the browser back button after log out.

This gave rise to a discussion of what is the "standard" behaviour for browsers. I do not think that discussion has really taken off. Personally, I do not understand how "standard" behaviour would allow anyone to see content after logging out. That doesn't seem intuitive to me. Nonetheless, I am not attempting to pre-empt any discussion, just writing to ensure you are aware of that thread.

Secondly, there is a discussion on changing settings.php so that the cookie lifetime is zero, http://drupal.org/node/263150
We have found this is needed on Drupal 6.x to ensure that a session ends if a user closes the browser without logging out. Again, this seems to be a necessity and we have implemented it.

Not sure if this is any help to your attempt to clean things up.

Izzy

A few questions to get this discussion in the direction of this modules purpose... (which is: analyzing a drupal installation and creating a Security Information Report (SIR) about this analysis.)

1. Is there any 'proof' that a cooky lifetime of 0 is safer?
2. Would it be of any value for an admin to know what's the current setting?
3. Can an admin influence this setting at this moment?

Any feedback on this would help me to decide if it's worth implementing it as a feature in the security module.

Best,
VinceW

Use of cookies and deletion of them is partially a user responsibility. User should not use public computers for payments, or other sessions where trusted information is required. On the other hand a website is also responsible for (not) setting persistent cookies on trusted/private information.

Therefore it's my believe that it's beneficial security information for a site admin to know what's the actual setting of the cookie lifetime, and I will add it to the Security module.

Best,
VinceW

Changed status and assignment :-)

The high default cookie lifetime is an unnacceptable security risk for a default installation.

Not logging out can keep an admin logged in for up to 24 days. This should be changed a.s.a.p.

Having your sessions closed on closing your browser is acceptable -- in my opinion a default setting should always respect higher security.

Logging out is not common practice -- please fix it -- I was quite shocked seeing the lifetime so high.

Very old. Closed because there is going to be a new start of this module.